The manual is way too confusing about this:
It works like this:
LDAP Overview:
LDAPS works fine with Server 2003 R2 AD, and is preferred (leave it on port 636). If you’re using fqdn’s, make sure you have DNS servers set in the network section.
On the Search page:
‘Search DN/Password’ is the Bind DN/Password.
‘Search Base’ is similarly the ‘Base DN’.
‘UID Mask’ should be ‘attribute=%1’, replace attribute with the name of the attribute storing the username, so generally with AD this is ‘sAMAccountName=%1’
Query page:
If ‘Group Container Mask’ = ‘ou=%1’ and Group Container = ‘KVM’ then we’re looking for ou=KVM in the above configured BaseDN. This is where we’ll set everything up. I recommend staying at the top of the tree for simplicity.
Target mask should be ‘cn=%1’ because we’re looking for objects and * Access Control Attribute will be ‘info’ because that corressponds to ‘notes’ in the ADUC UI.
In this OU container:
1) Create a computer object with the same name as the KVM name under ‘Appliance -> Overview’. I renamed this to KVM01. I had to do this on a DC as MMC was crashing on my terminal server when creating a computer object, probably unrelated.
2) Now create a group, call it whatever. In the notes section put ‘KVM Appliance Admin’. This is how we define what you can do. Add the KVM computer object to this group, and any users (or groups, ie domain admins) you want.
3) These people will have full access to the kvm and all objects. It sounds like adding access into individual objects requires being in a group with info of ‘KVM User’ and the computer objects for the actual server names in the group as well. Bah.
Jezus, thank you for figuring this out! I was about to throw in the friggin towel. Integrating LDAP shouldn’t be this damned hard, but the Avocent crew seem to have succeeded in porking their directions up completely.
Their documentation on LDAP read as though it were translated into English from a Chinese translation of the original Polish.
I’m running into issues configuring the group attribute for Appliance mode.
We’re a large organisation, and our AD structure does not allow me to have a top level OU called KVM, nor does it allow me to place the Computer Object in the same OU as groups.
I have an OU further along the chain “Ou=x, Ou=y, DC=my.domain.com” and have added the computer object and user accounts to the group within that OU and configured the notes section as described in the article above. No joy!
Is there any way to get this working given my AD restrictions?
I am having the same problem as Richard. I can make this work for individual accounts, but no go for groups. Doing this for individual accounts is not an acceptable option. What a kludge.
I had the same issue as Richard. My fix was to create an OU with a unique name across my AD structure. Create the group there and add the users and KVM computer account to the group. The KVM account and user accounts dont need to be in the same ou as the group.
I originally had the KVM group in an ou names security, however we have many different ou’s named security in our AD. I ended up creating an OU named KVM(which was unique) within one of the ou’s named security.
In the Advocent config, the Group Container field should just read the name of the OU that contains the group. I think this is the issue with needing a unigue ou name. I tried using the full DN but it wont work. Mine is set to Group Container: KVM
Hope this helps.
This was great help to set this up on a HP IP Console Switch G2 4x1Ex32 – AF622A
I have to say it wasnt completely all there but is sure was close.
in the sear criteria
Search DN: CN=netadmin,OU=Information Systems,OU=Administration,OU=xxx,DC=xxx,DC=org (what ever your serach DN is for your admin user you want to use preferably a service account. a great tool to use for this is an app on your smart phone i used AD helpdesk lite on my iphone.)
Search password: For the user you used to authenticate to the DC
Search Base: i used DC=xxx,DC=org the lowest level of my DC
UID Mask:sAMAccountName=%1
I did what the gentleman above said to do:
“Created a computer or object named it HPKVM and renamed my KVM the same under Appliance> Overview on the web console
2) Now create a group, call it KVM. In the notes section put ‘KVM Appliance Admin’after group was created. This is how we define what you can do. Add the HPKVM computer object to this group, and any users (or groups, ie domain admins) you want I added individual users. to make it easier for me.
Under Query
set the group as: “KVM”
Group Container Mask: ou=%1
Target DeviceMask:cn=%1
Access Control Attribute: info
But all this did not let me in so I just set the Appliance: Basic
and the Target Device: Group Attribute
so then the bottom greys out and the I oviously saved everything everytime.
Then i logged out and used one of the users in the group KVM and sure enough it let me in.
dont use domain\us just un and pw.
You have to do some more config but that atleast gets you in via AD credentials.